Thycotic’s Cyber Security Publication

Cybersecurity Awareness: Empowering Our People

May 5th, 2017

Guest column by SailPoint, the leader in enterprise identity management, brings the Power of Identity to customers around the world. As both an industry pioneer and market leader in identity governance, SailPoint delivers security, operational efficiency and compliance to enterprises with complex IT environments. Author: Darren Rolls

Like it or not, when it comes to the enterprise, our people are the new attack vector, which is why cybersecurity awareness training is so important. While our identity governance solutions help protect and empower the company, we know that the first line of defense lies with every single person under the proverbial roof of that company. We encourage our customers, contractors, employees and partners to stay educated through cybersecurity awareness training, because as we’ve recently witnessed, data breaches often times create a domino effect with serious collateral damage.

The Human Attack Vector

As we’ve seen in the news, cyber attacks are becoming more sophisticated and more targeted as hackers hone in on the inherent vulnerability of the human attack vector. As I’ve detailed in the Anatomy of a Databreach, hackers often spend huge cycles in the reconnaissance portion of an attack, isolating targets and conducting thorough research before striking. These attacks come in many forms, including aggressive cracking, phishing and spear phishing, social engineering via phone, in person and even at the workplace. As technology continues to evolve with things like BYOD, the cloud and the remote workforce, the attack surface is expanding. And hackers are taking note.

It’s not enough for employees to be aware of the potential cybersecurity pitfalls at work. Even if employees follow security protocols in the office, they often forget about other potential attack vectors like personal phones, tablets and computers, which are often used to access corporate data. Employees also volunteer valuable personal information through social media that, when combined with what’s available on the web from previous data breaches, gives hackers a comprehensive view of a user’s identity. With all of this information at their fingertips, it’s easy for hackers to gain access to employee accounts, and by extension, the enterprise.

And sadly, it doesn’t stop with employees. Friends and family are also targets, providing access to information about intended targets. Because of this, it’s important that employees emphasize the importance of cybersecurity awareness with those closest to them and follow best practices outside of the workplace. For example, not letting friends and family use work devices, not connecting to unsecured networks via any device, and not using unapproved devices to access company applications and systems.

What Is Your Role?

Each person in an organization plays a key role in helping to ward off a potential data breach. Employees can learn to be good custodians of the company’s data by adopting security best practices, participating in all cybersecurity awareness trainings, managing their own access and alerting the appropriate internal contacts when they suspect a breach has been attempted. And at the end of the day, employees should always assume they’re targets and act accordingly by taking simple security steps like locking their computers when they leave their desks, turning off Wi-Fi when they aren’t on the network, and even physical measures like covering built-in cameras and locking laptops in secure locations when they leave the office.

Conversely, IT’s job is to educate and equip employees through cybersecurity awareness training, including internal tests like phishing training, targeted attacks and even social engineering to make sure employees understand the various methods hackers will use to gain entry to the enterprise. IT can also take a holistic approach to lifecycle management, following employees through the joiner, mover and leaver process to make sure their access is appropriate at each stage. In order to do this effectively, IT needs the right identity governance tools to track the user lifecycle, evaluate access and prevent entitlement creep. Identity governance can also provide added security layers that both enhance security and enable users like password management and single-sign on. The ultimate goal is to empower employees across vs. stilting them, instilling confidence versus fear, all without compromising security. The beauty of this is that identity governance gives us the power to do it, while keeping our data safely in our hands.

Are We Fighting Losing Battle?

With cyberattacks hitting the headlines every day, employees and enterprises are getting fatigued and also facing the reality that no one is exempt (not even the National Security Agency or the Office of Personnel Management). Many are likely wondering if we’re fighting a losing battle, facing the harsh reality that 1 in 4 organizations will be breached. The one thing we’ve learned is that it’s not such a bad thing if you get owned. In fact, organizations are being more open and honest when a breach does occur, and other organizations are less likely to pick up their pitchforks, just in case they’re next.

These days, it’s all about the balance between prevention and detection. If the old version of protection is the traditional perimeter, the next wave is a balance of prevention AND detection through employee education and a user-centric security posture, including a robust identity governance platform. With identity governance, the measures we take in prevention can also be enablers in detection, providing insight into all elements of the IT ecosystem. Identity governance can quickly detect breaches and comprehensively, remediate them, making it a critical element in a world of vulnerability, compromise, detection and response.

Ultimately, look at your people as principal key holders to the all-important ‘keys’ to the kingdom – arm them with the security awareness tools they need to be stewards of your company’s data. Not only will this keep every user’s personal data safe, but it’ll provide your company with an additional layer of protection, keeping you on your front foot, advancing with confidence.